Skip to main content

Falang Multilanguage EUVDEUVD-2026-37641

| CVE-2026-54805 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-06-17 Patchstack
8.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable WordPress endpoint (AV:N), straightforward request (AC:L), requires authenticated Subscriber account (PR:L), no admin interaction (UI:N); role escalation yields full site control (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 11:52 vuln.today

DescriptionCVE.org

Subscriber Privilege Escalation in Falang multilanguage <= 1.4.2 versions.

AnalysisAI

Privilege escalation in the Falang Multilanguage WordPress plugin (versions <= 1.4.2) allows authenticated low-privileged users (Subscriber role) to elevate their permissions on affected sites. The flaw is rooted in improper privilege management (CWE-266) and carries a CVSS 3.1 score of 8.8 with high confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register Subscriber account on target
Delivery
Authenticate to WordPress
Exploit
Send crafted request to vulnerable Falang endpoint
Execution
Escalate role to Administrator
Persist
Install malicious plugin or webshell
Impact
Full site compromise

Vulnerability AssessmentAI

Exploitation Requires (1) a WordPress site running the Falang Multilanguage plugin at version 1.4.2 or earlier, and (2) a valid authenticated session at the Subscriber role or higher (per CVSS PR:L) - typically obtainable on sites with open user registration enabled in WordPress (Settings > General > 'Anyone can register'). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, 8.8) indicates network-reachable, low-complexity exploitation requiring only low privileges and no user interaction, with full CIA impact - consistent with a Subscriber-to-Admin escalation on a WordPress site. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free Subscriber account on a WordPress site running Falang Multilanguage <= 1.4.2 (or compromises an existing low-privilege account via credential stuffing). They then send a crafted authenticated request to a Falang plugin endpoint that fails to enforce capability checks, escalating their account to Administrator and gaining full control of the site, including the ability to install malicious plugins or pivot to the underlying server. …
Remediation Patch available per vendor advisory - administrators should upgrade Falang Multilanguage to the latest version above 1.4.2 as published on WordPress.org, following guidance in the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/falang/vulnerability/wordpress-falang-multilanguage-plugin-1-4-2-privilege-escalation-vulnerability (an exact fixed version is not independently confirmed in the provided data, so verify on WordPress.org before deploying). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all WordPress installations for Falang Multilanguage plugin; document version and deployment scope; disable plugin on non-critical sites. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37641 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy